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Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with the UK General Data 
Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA18) and other data protection legislation. 
Section 146 of the DPA18 provides the Information Commissioner’s Office (ICO) with the power to conduct 
compulsory audits through the issue of assessment notices. Section 129 of the DPA18 allows the ICO to carry out 
consensual audits. The ICO sees auditing as a constructive process with real benefits for controllers and so aims to 
establish a participative approach. 


Nottinghamshire Healthcare NHS Foundation Trust (the Trust) agreed to a consensual audit of the data protection 
practices in October 2020. 


The purpose of the audit is to provide the Information Commissioner and the Trust with an independent assurance 
of the extent to which the Trust, within the scope of this agreed audit, is complying with data protection 
legislation. 


The scope areas covered by this audit are determined following a risk-based analysis of the Trust’s processing of 
personal data. The scope may take into account any data protection issues or risks which affect their specific 
sector or organisations more widely. The ICO has further tailored the controls covered in each scope area to take 
into account the organisational structure of the Trust, the nature and extent of the Trust’s processing of personal 
data, and to avoid duplication across scope areas. As such, the scope of this audit is unique to the Trust. 
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It was agreed that the audit would focus on the following area(s) 


Scope area Description 

The extent to which information governance 
accountability, policies and procedures, performance 
measurement controls, and reporting mechanisms to 
Governance & Accountability monitor data protection compliance to both the 
UKGDPR and national data protection legislation are 
in place and in operation throughout the organisation. 


The design and operation of controls to ensure the 
sharing of personal data complies with the principles 


Data Sharing of all data protection legislation. 


Audits are conducted following the Information Commissioner’s data protection audit methodology. The key 
elements of this are normally a desk-based review of selected policies and procedures, on-site visits including 
interviews with selected staff, and an inspection of selected records. 


However, due to the outbreak of Covid -19, and the resulting restrictions on travel, this methodology was no 
longer appropriate. Therefore the Trust agreed to continue with the audit on a remote basis. A desk based review 
of selected policies and procedures and remote telephone interviews were conducted from 10 to 13 August. The 
ICO would like to thank the Trust for its flexibility and commitment to the audit during difficult and challenging 
circumstances. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate compliance with data protection legislation. In order to assist the Trust in implementing the 
recommendations each has been assigned a priority rating based upon the risks that they are intended to address. 
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The ratings are assigned based upon the ICO’s assessment of the risks involved. The Trust’s priorities and risk 
appetite may vary and, therefore, they should undertake their own assessments of the risks identified. 


Audit Summary 


There is a reasonable level of 
assurance that processes and 
procedures are in place and are 
delivering data protection compliance. 
The audit has identified some scope for 
improvement in existing arrangements 
to reduce the risk of non-compliance 
with data protection legislation. 

There is a high level of assurance that 
processes and procedures are in place 
and are delivering data protection 
compliance. The audit has identified 
some scope for improvement in 
existing arrangements to reduce the 
risk of non-compliance with data 
protection legislation. 


Governance & Accountability 


Data Sharing 


*The assurance ratings above are reflective of the remote audit methodology deployed at this time and the rating may not necessarily represent a comprehensive 
assessment of compliance. 
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Priority Recommendations 


Breakdown by Scope of Priority 
Recommendations 


= Low 
= Medium 
m High 


m Urgent 


Governance & Accountability Data Sharing 


The bar chart above shows a breakdown by scope area of the priorities assigned to our recommendations made: 


e Governance & Accountability has 8 high, 10 medium and 1 low priority recommendations. 
e Data Sharing has 4 high, 1 medium and 1 low priority recommendations. 
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Graphs and Charts 


Governance & Accountability 
Assurance rating summary 


5% 
= High 


= Reasonable 
= Limited 


m Very 
Limited 


The pie chart above shows a summary of the assurance ratings awarded in the Governance & Accountability 
scope. 50% high assurance, 27% reasonable assurance, 18% limited assurance, 5% very limited assurance. 
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Data Sharing 
Assurance Rating Summary 


= High 
= Reasonable 
= Limited 


= Very 
Limited 


The pie chart above shows a summary of the assurance ratings awarded in the Data Sharing scope. 58% high 
assurance and 42% reasonable assurance. 
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Areas for Improvement 


Governance and Accountability 


The Information Governance structure in the Trust requires strengthening to provide assurance that the DPO 
is able to carry out their functions in an appropriately effective manner as required by data protection 
legislation and that roles and responsibilities across Information Governance are documented accurately. 
The Trust should also work on raising the profile of the DPO across the organisation and ensure that he is 
reporting to the highest level of management. 

The Trust needs to work on formalising their risk management system by appointing Information Asset 
Owners and Information Asset Administrators across the Trust. These roles should be provided with 
specialised training which should be refreshed when required. 

The Trust’s legacy systems should be checked to ensure compliance with data protection legislation through 
completing Data Protection Impact Assessments where required. 


Data Sharing 
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The Trust should improve the governance and oversight of information sharing within the Trust by ensuring 
there is an appropriately documented high level information sharing policy or procedure. This should set out 
the responsibilities for information sharing and provide links to the relevant guidance, procedures and 
templates which are approved by senior management. This will help ensure that information sharing has 
been adequately embedded within the Trust’s Information Assurance Framework. 


Information Commissioner's Office 


e The Trust should work on seeking further assurances from information sharing partners with regards to 
meeting the requirements of the legislation, as there is currently insufficient information within the Data 
Sharing agreements to explain how undertakings will be met. 
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Disclaimer 
The matters arising in this report are only those that came to our attention during the course of the audit and are not 
necessarily a comprehensive statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in 
place rest with the management of the Trust. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person 
or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in 
connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss 
occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any 
information contained in this report. 


This report is an exception report and is solely for the use of the Trust. The scope areas and controls covered by the audit 
have been tailored to the Trust and, as a result, the audit report is not intended to be used in comparison with other ICO 
audit reports. 
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